Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Network Devices Security Technical Implementation Guide

  • Version/Release: V8R23
  • Published: 2018-11-27
  • Released: 2019-01-25
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

Network Devices Security Technical Implementation Guide
b
The IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network.
Medium - V-3008 - SV-3008r1_rule
RMF Control
Severity
Medium
CCI
Version
NET1800
Vuln IDs
  • V-3008
Rule IDs
  • SV-3008r1_rule
Using dedicated paths, the OOBM backbone connects the OOBM gateway routers located at the premise of the managed networks and at the NOC. Dedicated links can be deployed using provisioned circuits (ATM, Frame Relay, SONET, T-carrier, and others or VPN technologies such as subscribing to MPLS Layer 2 and Layer 3 VPN services) or implementing a secured path with gateway-to-gateway IPsec tunnel. The tunnel mode ensures that the management traffic will be logically separated from any other traffic traversing the same path.Information Assurance Officer
Checks: C-3837r1_chk

Have the SA display the configuration settings that enable this feature. Review the network topology diagram, and review VPN concentrators. Determine if tunnel mode is being used by reviewing the configuration. Examples: In CISCO Router(config)# crypto ipsec transform-set transform-set-name transform1 Router(cfg-crypto-tran)# mode tunnel OR in Junos edit security ipsec security-association sa-name] mode tunnel

Fix: F-3033r1_fix

Establish the VPN as a tunneled VPN. Terminate the tunneled VPN outside of the firewall. Ensure all host-to-host VPN are established between trusted known hosts.

c
Network devices must be password protected.
High - V-3012 - SV-3012r4_rule
RMF Control
Severity
High
CCI
Version
NET0230
Vuln IDs
  • V-3012
Rule IDs
  • SV-3012r4_rule
Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user, or guest so the appropriate authorization can be assigned to the user requesting access to the network or a network device. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multi-factor authentication, some combination thereof. Lack of authentication enables anyone to gain access to the network or possibly a network device providing opportunity for intruders to compromise resources within the network infrastructure.Information Assurance Officer
Checks: C-3456r6_chk

Review the network devices configuration to determine if administrative access to the device requires some form of authentication--at a minimum a password is required. If passwords aren't used to administrative access to the device, this is a finding.

Fix: F-3037r6_fix

Configure the network devices so it will require a password to gain administrative access to the device.

b
Network devices must display the DoD-approved logon banner warning.
Medium - V-3013 - SV-3013r5_rule
RMF Control
Severity
Medium
CCI
Version
NET0340
Vuln IDs
  • V-3013
Rule IDs
  • SV-3013r5_rule
All network devices must present a DoD-approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the device is subject to monitoring to detect unauthorized usage. Failure to display the required logon warning banner prior to logon attempts will limit DoD's ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. In addition, DISA's ability to monitor the device's usage is limited unless a proper warning banner is displayed. DoD CIO has issued new, mandatory policy standardizing the wording of "notice and consent" banners and matching user agreements for all Secret and below DoD information systems, including stand-alone systems by releasing DoD CIO Memo, "Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement", dated 9 May 2008. The banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. Implementation of this banner verbiage is further directed to all DoD components for all DoD assets via USCYBERCOM CTO 08-008A.Information Assurance Officer
Checks: C-3474r11_chk

Review the device configuration or request that the administrator logon to the device and observe the terminal. Verify either Option A or Option B (for systems with character limitations) of the Standard Mandatory DoD Notice and Consent Banner is displayed at logon. The required banner verbiage follows and must be displayed verbatim: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't." If the device configuration does not have a logon banner as stated above, this is a finding.

Fix: F-3038r9_fix

Configure all management interfaces to the network device to display the DoD-mandated warning banner verbiage at logon regardless of the means of connection or communication. The required banner verbiage that must be displayed verbatim is as follows: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't."

b
The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity.
Medium - V-3014 - SV-3014r4_rule
RMF Control
Severity
Medium
CCI
Version
NET1639
Vuln IDs
  • V-3014
Rule IDs
  • SV-3014r4_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed network device and a PC or terminal server when the later has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network device as well as reduce the risk of a management session from being hijacked. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.Information Assurance Officer
Checks: C-3540r6_chk

Review the management connection for administrative access and verify the network device is configured to time-out the connection at 10 minutes or less of inactivity. If the device does not terminate inactive management connections at 10 minutes or less, this is a finding.

Fix: F-3039r5_fix

Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.

a
The syslog administrator will configure the syslog sever to collect syslog messages from levels 0 through 6.
Low - V-3031 - SV-3031r1_rule
RMF Control
Severity
Low
CCI
Version
NET1027
Vuln IDs
  • V-3031
Rule IDs
  • SV-3031r1_rule
Logging is a critical part of router security. Maintaining an audit trail of system activity can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network. Syslog levels 0-6 are the levels required to collect the necessary information to help in the recovery process. Information Assurance Officer
Checks: C-3955r1_chk

Review the syslog server configuration to ensure that it is collecting syslog messages levels 0 through 6 for the appropriate facilities.

Fix: F-3056r1_fix

The administrator will configure the syslog server to collect syslog messages levels 0 through 6.

a
The IAO/NSO will ensure that security alarms are set up within the managed network's framework. At a minimum, these will include the following: - Integrity Violation: Indicates that network contents or objects have been illegally modified, deleted, or added. - Operational Violation: Indicates that a desired object or service could not be used. - Physical Violation: Indicates that a physical part of the network (such as a cable) has been damaged or modified without authorization. - Security Mechanism Violation: Indicates that the network's security system has been compromised or breached. - Time Domain Violation: Indicates that an event has happened outside its allowed or typical time slot.
Low - V-3046 - SV-3046r1_rule
RMF Control
Severity
Low
CCI
Version
NET1710
Vuln IDs
  • V-3046
Rule IDs
  • SV-3046r1_rule
Without the proper categories of security alarms being defined on the NMS, responding to critical outages or attacks on the network may not be coordinated correctly with the right personnel, hardware, software or vendor maintenance. Delays will inevitably occur which will cause network outages to last longer than necessary or expose the network to larger, more extensive attacks or outages. Information Assurance OfficerECSC-1
Checks: C-3826r1_chk

Request that the network engineer demonstrate the alert capabilities.

Fix: F-3071r1_fix

The NSO will ensure that the NMS is configured, at a minimum, to alarm on the following security violations: integrity, operational, physical, security mechanism, and time domain violation.

a
The IAO/NSO will ensure that alarms are categorized by severity using the following guidelines: - Critical and major alarms are given when a condition that affects service has arisen. For a critical alarm, steps must be taken immediately in order to restore the service that has been lost completely. - A major alarm indicates that steps must be taken as soon as possible because the affected service has degraded drastically and is in danger of being lost completely. - A minor alarm indicates a problem that does not yet affect service, but may do so if the problem is not corrected. - A warning alarm is used to signal a potential problem that may affect service. - An indeterminate alarm is one that requires human intervention to decide its severity.
Low - V-3047 - SV-3047r1_rule
RMF Control
Severity
Low
CCI
Version
NET1720
Vuln IDs
  • V-3047
Rule IDs
  • SV-3047r1_rule
Without the proper categories of severity levels being defined on the NMS, outages or attacks may not be responded to by order of criticality. If a critical attack or outage is not responded to first, then there will be a delay in fixing the problem, which may cause network outages to last longer than necessary or expose the network to larger more extensive attacks or outages. Information Assurance OfficerECSC-1
Checks: C-3827r1_chk

Request that the network engineer demonstrate the alert capabilities.

Fix: F-3072r1_fix

The NSO will ensure that the NMS security alarm severity levels are configured as critical, major, minor, warning and indeterminate.

a
The IAO/NSO will ensure a record is maintained of all logons and transactions processed by the management station. NOTE: Include time logged in and out, devices that were accessed and modified, and other activities performed.
Low - V-3050 - SV-3050r1_rule
RMF Control
Severity
Low
CCI
Version
NET1750
Vuln IDs
  • V-3050
Rule IDs
  • SV-3050r1_rule
Logging is a critical part of network security. Maintaining an audit trail of system activity logs can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network. Audit logs are also necessary to provide a trail of evidence in case the network is compromised. Without an audit trail that provides a when, where, who and how set of information, repeat offenders could continue attacks against the network indefinitely. With this information, the network administrator can devise ways to block the attack and possibly identify and prosecute the attacker. Information Assurance OfficerECAR-1, ECAR-2, ECAR-3, ECSC-1
Checks: C-3830r1_chk

Review the NMS configuration and logs

Fix: F-3075r1_fix

The NSO will ensure that the NMS records all logons and transactions on the management station. The log will include at a minimum: time logged in and out, devices that were accessed and modified, and other activities performed. The audit will be stored online for a minimum of 30 days and offline for at least one year.

c
The IAO/NSO will ensure access to the NMS is restricted to authorized users with individual userids and passwords.
High - V-3051 - SV-3051r1_rule
RMF Control
Severity
High
CCI
Version
NET1760
Vuln IDs
  • V-3051
Rule IDs
  • SV-3051r1_rule
If unauthorized users gain access to the NMS they could change device configurations and SNMP variables that can cause disruptions and even denial of service conditions.Information Assurance OfficerECSC-1, IAIA-1, IAIA-2
Checks: C-3831r1_chk

Review the NMS configuration to verify compliancy.

Fix: F-3076r1_fix

The NOC will ensure that access to the NMS is available only to authorized users with appropriate userids and passwords.

c
Group accounts must not be configured for use on the network device.
High - V-3056 - SV-3056r7_rule
RMF Control
Severity
High
CCI
Version
NET0460
Vuln IDs
  • V-3056
Rule IDs
  • SV-3056r7_rule
Group accounts configured for use on a network device do not allow for accountability or repudiation of individuals using the shared account. If group accounts are not changed when someone leaves the group, that person could possibly gain control of the network device. Having group accounts does not allow for proper auditing of who is accessing or changing the network.Information Assurance Officer
Checks: C-3503r11_chk

Review the network device configuration and validate there are no group accounts configured for access. If a group account is configured on the device, this is a finding.

Fix: F-3081r9_fix

Configure individual user accounts for each authorized person then remove any group accounts.

b
Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
Medium - V-3057 - SV-3057r6_rule
RMF Control
Severity
Medium
CCI
Version
NET0465
Vuln IDs
  • V-3057
Rule IDs
  • SV-3057r6_rule
By not restricting authorized accounts to their proper privilege level, access to restricted functions may be allowed before authorized personnel are trained or experienced enough to use those functions. Network disruptions or outages may occur due to mistakes made by inexperienced persons using accounts with greater privileges than necessary.Information Assurance Officer
Checks: C-3504r8_chk

Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the least privilege level unless deemed necessary for assigned duties. If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding.

Fix: F-3082r5_fix

Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.

b
Unauthorized accounts must not be configured for access to the network device.
Medium - V-3058 - SV-3058r5_rule
RMF Control
Severity
Medium
CCI
Version
NET0470
Vuln IDs
  • V-3058
Rule IDs
  • SV-3058r5_rule
A malicious user attempting to gain access to the network device may compromise an account that may be unauthorized for use. The unauthorized account may be a temporary or inactive account that is no longer needed to access the device. Denial of Service, interception of sensitive information, or other destructive actions could potentially take place if an unauthorized account is configured to access the network device.Information Assurance Officer
Checks: C-3505r5_chk

Review the organization's responsibilities list and reconcile the list of authorized accounts with those accounts defined for access to the network device. If an unauthorized account is configured for access to the device, this is a finding.

Fix: F-3083r5_fix

Remove any account configured for access to the network device that is not defined in the organization's responsibilities list.

b
Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
Medium - V-3069 - SV-3069r5_rule
RMF Control
Severity
Medium
CCI
Version
NET1638
Vuln IDs
  • V-3069
Rule IDs
  • SV-3069r5_rule
Administration and management connections performed across a network are inherently dangerous because anyone with a packet sniffer and access to the right LAN segment can acquire the network device account and password information. With this intercepted information they could gain access to the router and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.Information Assurance Officer
Checks: C-3532r8_chk

Review the network device configuration to verify only secure protocols using FIPS 140-2 validated cryptographic modules are used for any administrative access. Some of the secure protocols used for administrative and management access are listed below. This list is not all inclusive and represents a sample selection of secure protocols. -SSHv2 -SCP -HTTPS using TLS If management connections are established using protocols without FIPS 140-2 validated cryptographic modules, this is a finding.

Fix: F-3094r5_fix

Configure the network device to use secure protocols with FIPS 140-2 validated cryptographic modules.

a
Network devices must log all attempts to establish a management connection for administrative access.
Low - V-3070 - SV-3070r4_rule
RMF Control
Severity
Low
CCI
Version
NET1640
Vuln IDs
  • V-3070
Rule IDs
  • SV-3070r4_rule
Audit logs are necessary to provide a trail of evidence in case the network is compromised. Without an audit trail that provides a when, where, who and how set of information, repeat offenders could continue attacks against the network indefinitely. With this information, the network administrator can devise ways to block the attack and possibly identify and prosecute the attacker.Information Assurance Officer
Checks: C-3542r6_chk

Review the configuration to verify all attempts to access the device via management connection are logged. If management connection attempts are not logged, this is a finding.

Fix: F-3095r3_fix

Configure the device to log all access attempts to the device to establish a management connection for administrative access.

c
Network devices must not have any default manufacturer passwords.
High - V-3143 - SV-3143r4_rule
RMF Control
Severity
High
CCI
Version
NET0240
Vuln IDs
  • V-3143
Rule IDs
  • SV-3143r4_rule
Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing network outage or denial of service. Many default vendor passwords are well-known; hence, not removing them prior to deploying the network devices into production provides an opportunity for a malicious user to gain unauthorized access to the device.Information Assurance Officer
Checks: C-40236r3_chk

Review the network devices configuration to determine if the vendor default password is active. If any vendor default passwords are used on the device, this is a finding.

Fix: F-35391r3_fix

Remove any vendor default passwords from the network devices configuration.

b
Network devices must be running a current and supported operating system with all IAVMs addressed.
Medium - V-3160 - SV-3160r4_rule
RMF Control
Severity
Medium
CCI
Version
NET0700
Vuln IDs
  • V-3160
Rule IDs
  • SV-3160r4_rule
Network devices not running the latest tested and approved versions of software are vulnerable to network attacks. Running the most current, approved version of system and device software helps the site maintain a stable base of security fixes and patches, as well as enhancements to IP security. Viruses, denial of service attacks, system weaknesses, back doors and other potentially harmful situations could render a system vulnerable, allowing unauthorized access to DoD assets.Information Assurance Officer
Checks: C-3549r4_chk

Have the administrator display the OS version in operation. The OS must be current with related IAVMs addressed. If the device is using an OS that does not meet all IAVMs or currently not supported by the vendor, this is a finding.

Fix: F-3185r4_fix

Update operating system to a supported version that addresses all related IAVMs.

c
The network device must require authentication prior to establishing a management connection for administrative access.
High - V-3175 - SV-3175r5_rule
RMF Control
Severity
High
CCI
Version
NET1636
Vuln IDs
  • V-3175
Rule IDs
  • SV-3175r5_rule
Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.Information Assurance Officer
Checks: C-3516r9_chk

Review the network device configuration to verify all management connections for administrative access require authentication. If authentication isn't configured for management access, this is a finding.

Fix: F-3200r3_fix

Configure authentication for all management connections.

b
The IAO/NSO will ensure all accounts are assigned the lowest possible level of access/rights necessary to perform their jobs.
Medium - V-3184 - SV-3184r1_rule
RMF Control
Severity
Medium
CCI
Version
NET1780
Vuln IDs
  • V-3184
Rule IDs
  • SV-3184r1_rule
Without a formal personnel approval process, unauthorized users may gain access to critical DoD systems. It is imperitive that only the required access to the required systems and information be provided to each individual. The lack of a password protection for communications devices provides anyone access to the device, which opens a backdoor opportunity for intruders to attack and manipulate or compromise network resources. Vendors often assign default passwords to communication devices. These default passwords are well known to the hacker community and are extremely dangerous if left unchanged.Information Assurance OfficerECSC-1
Checks: C-3834r1_chk

Review the user database to determine compliance.

Fix: F-3209r1_fix

Have the NSO ensure that accounts are created with the lowest privilege necessary to perform their duties.

c
The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
High - V-3196 - SV-3196r4_rule
RMF Control
Severity
High
CCI
Version
NET1660
Vuln IDs
  • V-3196
Rule IDs
  • SV-3196r4_rule
SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information used to launch an attack against the network.Information Assurance Officer
Checks: C-3820r6_chk

Review the device configuration to verify it is configured to use SNMPv3 with both SHA authentication and privacy using AES encryption. Downgrades: If the site is using Version 1 or Version 2 with all of the appropriate patches and has developed a migration plan to implement the Version 3 Security Model, this finding can be downgraded to a Category II. If the targeted asset is running SNMPv3 and does not support SHA or AES, but the device is configured to use MD5 authentication and DES or 3DES encryption, then the finding can be downgraded to a Category III. If the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any known security vulnerabilities, this finding can be downgraded to a Category II. In addition, if the device does not support SNMPv3, this finding can be downgraded to a Category III provided all of the appropriate patches to mitigate any known security vulnerabilities have been applied and has developed a migration plan that includes the device upgrade to support Version 3 and the implementation of the Version 3 Security Model. If the device is configured to use to anything other than SNMPv3 with at least SHA-1 and AES, this is a finding. Downgrades can be determined based on the criteria above.

Fix: F-3221r5_fix

If SNMP is enabled, configure the network device to use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography (i.e., SHA authentication and AES encryption).

c
The network device must not use the default or well-known SNMP community strings public and private.
High - V-3210 - SV-3210r4_rule
RMF Control
Severity
High
CCI
Version
NET1665
Vuln IDs
  • V-3210
Rule IDs
  • SV-3210r4_rule
Network devices may be distributed by the vendor pre-configured with an SNMP agent using the well-known SNMP community strings public for read only and private for read and write authorization. An attacker can obtain information about a network device using the read community string "public". In addition, an attacker can change a system configuration using the write community string "private".Information Assurance Officer
Checks: C-3822r7_chk

Review the network devices configuration and verify if either of the SNMP community strings "public" or "private" is being used. If default or well-known community strings are used for SNMP, this is a finding.

Fix: F-3235r4_fix

Configure unique SNMP community strings replacing the default community strings.

b
In the event the authentication server is unavailable, the network device must have a single local account of last resort defined.
Medium - V-3966 - SV-3966r6_rule
RMF Control
Severity
Medium
CCI
Version
NET0440
Vuln IDs
  • V-3966
Rule IDs
  • SV-3966r6_rule
Authentication for administrative access to the device is required at all times. A single account of last resort can be created on the device's local database for use in an emergency such as when the authentication server is down or connectivity between the device and the authentication server is not operable. The console or local account of last resort logon credentials must be stored in a sealed envelope and kept in a safe.
Checks: C-3502r7_chk

Review the network device configuration to determine if an authentication server is defined for gaining administrative access. If so, there must be only one account of last resort configured locally for an emergency. Verify the username and password for the local account of last resort is contained within a sealed envelope kept in a safe. If an authentication server is used and more than one local account exists, this is a finding.

Fix: F-3899r9_fix

Configure the device to only allow one local account of last resort for emergency access and store the credentials in a secure manner.

b
The network devices must time out access to the console port at 10 minutes or less of inactivity.
Medium - V-3967 - SV-3967r4_rule
RMF Control
Severity
Medium
CCI
Version
NET1624
Vuln IDs
  • V-3967
Rule IDs
  • SV-3967r4_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network device. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.Information Assurance Officer
Checks: C-3511r5_chk

Review the configuration and verify a session using the console port will time out after 10 minutes or less of inactivity. If console access is not configured to timeout at 10 minutes or less, this is a finding.

Fix: F-3900r4_fix

Configure the timeout for idle console connection to 10 minutes or less.

b
L2TP must not pass into the private network of an enclave.
Medium - V-3982 - SV-3982r3_rule
RMF Control
Severity
Medium
CCI
Version
NET-TUNL-013
Vuln IDs
  • V-3982
Rule IDs
  • SV-3982r3_rule
Unlike GRE (a simple encapsulating header) L2TP is a full-fledged communications protocol with control channel, data channels, and a robust command structure. In addition to PPP, other link layer types (called pseudowires) can be and are defined for delivery in L2TP by separate RFC documents. Further complexity is created by the capability to define vender-specific parameters beyond those defined in the L2TP specifications. The endpoint devices of an L2TP connection can be an L2TP Access Concentrator (LAC) in which case it inputs/outputs the layer 2 protocol to/from the L2TP tunnel. Otherwise it is an L2TP Network Server (LNS), in which case it inputs/outputs the layer 3 (IP) protocol to/from the L2TP tunnel. The specifications describe three reference models: LAC-LNS, LAC-LAC, and LNS-LNS, the first of which is the most common case. The LAC-LNS model allows a remote access user to reach his home network or ISP from a remote location. The remote access user either dials (or otherwise connects via layer 2) to a LAC device which tunnels his connection home to an awaiting LNS. The LAC could also be located on the remote user's laptop which connects to an LNS at home using some generic internet connection. The other reference models may be used for more obscure scenarios. Although the L2TP protocol does not contain encryption capability, it can be operated over IPSEC which would provide authentication and confidentiality. A remote user in the LAC-LNS model would most likely obtain a dynamically assigned IP address from the home network to ultimately use through the tunnel back to the home network. Secondly, the outer IP source address used to send the L2TP tunnel packet to the home network is likely to be unknown or highly variable. Thirdly, since the LNS provides the remote user with a dynamic IP address to use, the firewall at the home network would have to be dynamically updated to accept this address in conjunction with the outer tunnel address. Finally, there is also the issue of authentication of the remote user prior to divulging an acceptable IP address. As a result of all of these complications, the strict filtering rules applied to the IP-in-IP and GRE tunneling cases will likely not be possible in the L2TP scenario. In addition to the difficulty of enforcing addresses and endpoints (as explained above), the L2TP protocol itself is a security concern if allowed through a security boundary. In particular: 1) L2TP potentially allows link layer protocols to be delivered from afar. These protocols were intended for link-local scope only, are less defended, and not as well-known 2) The L2TP tunnels can carry IP packets that are very difficult to see and filter because of the additional layer 2 overhead 3) L2TP is highly complex and variable (vender-specific variability) and therefore would be a viable target that is difficult to defend. It is better left outside of the main firewall where less damage occurs if the L2TP-processing node is compromised. 4) Filtering cannot be used to detect and prevent other unintended layer 2 protocols from being tunneled. The strength of the application layer code would have to be relied on to achieve this task. 5) Regardless of whether the L2TP is handled inside or outside of the main network, a secondary layer of IP filtering is required, therefore bringing it inside doesn't save resources. Therefore, it is not recommended to allow unencrypted L2TP packets across the security boundary into the network's protected areas. Reference the Backbone Transport STIG for additional L2TP guidance and use.Information Assurance OfficerECSC-1
Checks: C-3800r5_chk

Review the network topology diagram, and review VPN concentrators. Verify that L2TP is not permitted into the enclave's private network. L2TP uses TCP and UDP ports 1701. See the PPS Vulnerability Assessment for additional protocol guidance and reference the Backbone Transport STIG for exceptions. If L2TP is not filtered outbound, this is a finding.

Fix: F-3915r3_fix

Terminate L2TP tunnels at the enclave perimeter, either in the DMZ or a service network for filtering and content inspection before passing traffic to the enclave's private network.

c
The network device must require authentication for console access.
High - V-4582 - SV-4582r5_rule
RMF Control
Severity
High
CCI
Version
NET1623
Vuln IDs
  • V-4582
Rule IDs
  • SV-4582r5_rule
Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.Information Assurance Officer
Checks: C-3510r6_chk

Review the network device's configuration and verify authentication is required for console access. If authentication is not configured for console access, this is a finding.

Fix: F-4515r4_fix

Configure authentication for console access on the network device.

b
All in-band sessions to the NMS must be secured using FIPS 140-2 approved encryption and hashing algorithms.
Medium - V-4613 - SV-4613r2_rule
RMF Control
Severity
Medium
CCI
Version
NET1762
Vuln IDs
  • V-4613
Rule IDs
  • SV-4613r2_rule
Without the use of FIPS 140-2 encryption to in-band management connections, unauthorized users may gain access to the NMS enabling them to change device configurations and SNMP variables that can cause disruptions and even denial of service conditions. Information Assurance OfficerECNK-1, ECSC-1
Checks: C-3832r2_chk

Inspect the NMS configuration to validate in-band management access is using an approved FIPS 140-2 encryption and hashing algorithm.

Fix: F-4546r2_fix

Implement and configure an approved FIPs 140-2 encryption and hashing algorithm for in-band management to the NMS.

b
The network devices must only allow management connections for administrative access from hosts residing in the management network.
Medium - V-5611 - SV-5611r5_rule
RMF Control
Severity
Medium
CCI
Version
NET1637
Vuln IDs
  • V-5611
Rule IDs
  • SV-5611r5_rule
Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment could acquire the device account and password information. With this intercepted information they could gain access to the infrastructure and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.
Checks: C-3527r6_chk

Review the configuration and verify management access to the device is allowed only from hosts within the management network. If management access can be gained from outside of the authorized management network, this is a finding.

Fix: F-5522r4_fix

Configure an ACL or filter to restrict management access to the device from only the management network.

b
The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
Medium - V-5612 - SV-5612r4_rule
RMF Control
Severity
Medium
CCI
Version
NET1645
Vuln IDs
  • V-5612
Rule IDs
  • SV-5612r4_rule
An attacker may attempt to connect to the device using SSH by guessing the authentication method, encryption algorithm, and keys. Limiting the amount of time allowed for authenticating and negotiating the SSH session reduces the window of opportunity for the malicious user attempting to make a connection to the network device.Information Assurance Officer
Checks: C-3534r6_chk

Review the configuration and verify the timeout is set for 60 seconds or less. The SSH service terminates the connection if protocol negotiation (that includes user authentication) is not complete within this timeout period. If the device is not configured to drop broken SSH sessions after 60 seconds, this is a finding.

Fix: F-5523r5_fix

Configure the network devices so it will require a secure shell timeout of 60 seconds or less.

b
The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface.
Medium - V-5613 - SV-5613r4_rule
RMF Control
Severity
Medium
CCI
Version
NET1646
Vuln IDs
  • V-5613
Rule IDs
  • SV-5613r4_rule
An attacker may attempt to connect to the device using SSH by guessing the authentication method and authentication key or shared secret. Setting the authentication retry to 3 or less strengthens against a Brute Force attack.Information Assurance Officer
Checks: C-3538r8_chk

Review the configuration and verify the number of unsuccessful SSH logon attempts is set at 3. If the device is not configured to reset unsuccessful SSH logon attempts at 3, this is a finding.

Fix: F-5524r9_fix

Configure the network device to require a maximum number of unsuccessful SSH logon attempts at 3.

b
The TFTP server used to store network element configurations and images must be only connected to the management network.
Medium - V-5644 - SV-5644r2_rule
RMF Control
Severity
Medium
CCI
Version
NET1071
Vuln IDs
  • V-5644
Rule IDs
  • SV-5644r2_rule
TFTP that contains network element configurations and images must only be connected to the management network to enforce restricted and limited access.Information Assurance OfficerECSC-1
Checks: C-3657r2_chk

Review the layer 2 and layer 3 network topology to determine what network the TFTP server is connected to. Verify that the server has been configured or assigned an IP address that belongs to the management network.

Fix: F-5555r2_fix

Connect the TFTP server only to the management network.

b
The network device must drop half-open TCP connections through filtering thresholds or timeout periods.
Medium - V-5646 - SV-5646r5_rule
RMF Control
Severity
Medium
CCI
Version
NET0965
Vuln IDs
  • V-5646
Rule IDs
  • SV-5646r5_rule
A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver, and then an acceptance of that acknowledgement is sent by the originator. An attacker's goal in this scenario is to cause a denial of service to the network or device by initiating a high volume of TCP packets, then never sending an acknowledgement, leaving connections in a half-opened state. Without the device having a connection or time threshold for these half-opened sessions, the device risks being a victim of a denial of service attack. Setting a TCP timeout threshold will instruct the device to shut down any incomplete connections. Services such as SSH, BGP, SNMP, LDP, etc. are some services that may be prone to these types of denial of service attacks. If the router does not have any BGP connections with BGP neighbors across WAN links, values could be set to even tighter constraints.Information Assurance Officer
Checks: C-3604r11_chk

Review the device configuration to determine if threshold filters or timeout periods are set for dropping excessive half-open TCP connections. For timeout periods, the time should be set to 10 seconds or less. If the device cannot be configured for 10 seconds or less, it should be set to the least amount of time allowable in the configuration. Threshold filters will need to be determined by the organization for optimal filtering. If the device is not configured in a way to drop half-open TCP connections using filtering or timeout periods, this is a finding.

Fix: F-5557r6_fix

Configure the device to drop half-open TCP connections through threshold filtering or timeout periods.

a
The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
Low - V-7011 - SV-7365r4_rule
RMF Control
Severity
Low
CCI
Version
NET1629
Vuln IDs
  • V-7011
Rule IDs
  • SV-7365r4_rule
The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Additional war dial attacks on the device could degrade the device and the production network. Secured modem devices must be able to authenticate users and must negotiate a key exchange before full encryption takes place. The modem will provide full encryption capability (Triple DES) or stronger. The technician who manages these devices will be authenticated using a key fob and granted access to the appropriate maintenance port, thus the technician will gain access to the managed device (router, switch, etc.). The token provides a method of strong (two-factor) user authentication. The token works in conjunction with a server to generate one-time user passwords that will change values at second intervals. The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.Information Assurance Officer
Checks: C-3513r5_chk

Review the configuration and verify the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected. If the auxiliary port is enabled without the use of a secured modem, this is a finding.

Fix: F-6614r3_fix

Disable the auxiliary port. If used for out-of-band administrative access, the port must be connected to a secured modem providing encryption and authentication.

b
The IAO will ensure that 802.1x is implemented using a secure EAP such as EAP-TLS, EAP-TTLS or PEAP.
Medium - V-7542 - SV-8011r1_rule
RMF Control
Severity
Medium
CCI
Version
NET-NAC-010
Vuln IDs
  • V-7542
Rule IDs
  • SV-8011r1_rule
EAP methods/types are continually being proposed, however, the three being considered secure are EAP-TLS, EAP-TTLS, and PEAP. PEAP is the preferred EAP type to be used in DoD because of its ability to support a greater number of operating systems and its capability to transmit statement of health information, per NSA NAC study. Lightweight EAP (LEAP) is a CISCO proprietary protocol providing an easy-to-deploy one password authentication. LEAP is vulnerable to dictionary attacks. A "man in the middle" can capture traffic, identify a password, and then use it to access a WLAN. LEAP is inappropriate and does not provide sufficient security for use on DOD networks. EAP-MD5 is functionally similar to CHAP and is susceptible to eavesdropping because the password credentials are sent as a hash (not encrypted). In addition, server administrators would be required to store unencrypted passwords on their servers violating other security policies. EAP-MD5 is inappropriate and does not provide sufficient security for use on DOD networks. Information Assurance Officer
Checks: C-5960r1_chk

Verify that the authentication server is configured to use a strong EAP such as EAP-TLS, EAP-TTLS or PEAP

Fix: F-6892r1_fix

Confiugre the authentication server to use a strong EAP such as EAP-TLS, EAP-TTLS or PEAP.

a
Alerts must be automatically generated to notify the administrator when log storage reaches seventy-five percent or more of its maximum capacity.
Low - V-14646 - SV-15272r3_rule
RMF Control
Severity
Low
CCI
Version
NET0386
Vuln IDs
  • V-14646
Rule IDs
  • SV-15272r3_rule
Configuring the network device or syslog server to provide alerts to the administrator in the event of modification or audit log capacity being exceeded ensures administrative staff is aware of critical alerts. Without this type of notification setup, logged audits and events could potentially fill to capacity, causing subsequent records to not be recorded and dropped without any knowledge by the administrative staff. Other unintended consequences of filling the log storage to capacity may include a denial of service of the device itself without proper notification.Information Assurance Officer
Checks: C-13714r5_chk

Review the network device or syslog server to determine whether alerts are configured to automatically generate and notify the administrator when seventy-five percent or more of the storage capacity has been reached with log data. If alerts are not configured for notification when exceeding storage capacity, this is a finding.

Fix: F-14748r4_fix

Configure the network device or syslog server to automatically generate and notify the administrator when seventy-five percent or more of the storage capacity has been reached with log data.

b
Network devices must authenticate all NTP messages received from NTP servers and peers.
Medium - V-14671 - SV-15327r6_rule
RMF Control
Severity
Medium
CCI
Version
NET0813
Vuln IDs
  • V-14671
Rule IDs
  • SV-15327r6_rule
Since NTP is used to ensure accurate log file time stamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP infrastructure, a hacker could inject time that would be accepted by NTP clients by spoofing the IP address of a valid NTP server. To mitigate this risk, the time messages must be authenticated by the client before accepting them as a time source. Two NTP-enabled devices can communicate in either client-server mode or peer-to-peer mode (aka "symmetric mode"). The peering mode is configured manually on the device and indicated in the outgoing NTP packets. The fundamental difference is the synchronization behavior: an NTP server can synchronize to a peer with better stratum, whereas it will never synchronize to its client regardless of the client's stratum. From a protocol perspective, NTP clients are no different from the NTP servers. The NTP client can synchronize to multiple NTP servers, select the best server and synchronize with it, or synchronize to the averaged value returned by the servers. A hierarchical model can be used to improve scalability. With this implementation, an NTP client can also become an NTP server providing time to downstream clients at a higher stratum level and of decreasing accuracy than that of its upstream server. To increase availability, NTP peering can be used between NTP servers. In the event the device loses connectivity to its upstream NTP server, it will be able to choose time from one of its peers. The NTP authentication model is opposite of the typical client-server authentication model. NTP authentication enables an NTP client or peer to authenticate time received from their servers and peers. It is not used to authenticate NTP clients because NTP servers do not care about the authenticity of their clients, as they never accept any time from them.
Checks: C-12793r9_chk

Review the network element configuration and verify that it is authenticating NTP messages received from the NTP server or peer using a FIPS-approved message authentication code algorithm. FIPS-approved algorithms for authentication are the cipher-based message authentication code (CMAC) and the keyed-hash message authentication code (HMAC). AES and 3DES are NIST-approved CMAC algorithms. The following are NIST-approved HMAC algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. Downgrade: If the network device is not capable of authenticating the NTP server or peer using a FIPS-approved message authentication code algorithm, then MD5 can be utilized for NTP message authentication and the finding can be downgraded to a CAT III. If the network element is not configured to authenticate received NTP messages using a FIPS-approved message authentication code algorithm, this is a finding. A downgrade can be determined based on the criteria above.

Fix: F-14132r4_fix

Configure the device to authenticate all received NTP messages using a FIPS-approved message authentication code algorithm.

b
The network device must not allow SSH Version 1 to be used for administrative access.
Medium - V-14717 - SV-15459r4_rule
RMF Control
Severity
Medium
CCI
Version
NET1647
Vuln IDs
  • V-14717
Rule IDs
  • SV-15459r4_rule
SSH Version 1 is a protocol that has never been defined in a standard. Since SSH-1 has inherent design flaws which make it vulnerable to attacks, e.g., man-in-the-middle attacks, it is now generally considered obsolete and should be avoided by explicitly disabling fallback to SSH-1.Information Assurance Officer
Checks: C-12924r8_chk

Review the configuration and verify SSH Version 1 is not being used for administrative access. If the device is using an SSHv1 session, this is a finding.

Fix: F-14184r5_fix

Configure the network device to use SSH version 2.

b
The IAO/NSO will ensure the AAA authentication method implements user authentication.
Medium - V-15433 - SV-16260r1_rule
RMF Control
Severity
Medium
CCI
Version
NET0434
Vuln IDs
  • V-15433
Rule IDs
  • SV-16260r1_rule
Group accounts are not permitted.Information Assurance Officer
Checks: C-14440r1_chk

Review the AAA server configuration. Attempt to identify suspicious group profile definitions that do not meet the accounts user-id naming convention. Example:supr-user. Below is an example of what an SA profile may be associated. Group Profile Information group = rtr_super{ profile_id = 40 profile_cycle = 1 service=shell { default cmd=permit cmd=debug { deny all permit .* } } } Below is an example of the user definition that should be assigned with a valid ID, (not rtr-geek). Look for group accounts here: user = rtr-geek{ profile_id = 45 profile_cycle = 1 member = rtr_super password = des "********" }

Fix: F-15097r1_fix

Remove all group profiles from the AAA server.

c
The emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
High - V-15434 - SV-16261r5_rule
RMF Control
Severity
High
CCI
Version
NET0441
Vuln IDs
  • V-15434
Rule IDs
  • SV-16261r5_rule
The emergency administration account is to be configured as a local account on the network devices. It is to be used only when the authentication server is offline or not reachable via the network. The emergency account must be set to an appropriate authorization level to perform necessary administrative functions during this time.Information Assurance Officer
Checks: C-14441r6_chk

Review the emergency administration account configured on the network devices and verify that it has been assigned to a privilege level that will enable the administrator to perform necessary administrative functions when the authentication server is not online. If the emergency administration account is configured for more access than needed to troubleshoot issues, this is a finding.

Fix: F-15098r7_fix

Assign a privilege level to the emergency administration account to allow the administrator to perform necessary administrative functions when the authentication server is not online.

b
The network devices OOBM interface must be configured with an OOBM network address.
Medium - V-17821 - SV-19075r4_rule
RMF Control
Severity
Medium
CCI
Version
NET0991
Vuln IDs
  • V-17821
Rule IDs
  • SV-19075r4_rule
The OOBM access switch will connect to the management interface of the managed network device. The management interface of the managed network device will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the OOBM interface does not have an IP address from the managed network address space, it will not have reachability from the NOC using scalable and normal control plane and forwarding mechanisms.System AdministratorInformation Assurance Officer
Checks: C-19238r5_chk

Review the device configuration to determine if the OOB management interface is assigned an appropriate IP address from the authorized OOB management network. If an IP address assigned to the interface is not from an authorized OOB management network, this is a finding.

Fix: F-17736r2_fix

Configure the OOB management interface with an IP address from the address space belonging to the OOBM network.

b
The network devices management interface must be configured with both an ingress and egress ACL.
Medium - V-17822 - SV-19076r4_rule
RMF Control
Severity
Medium
CCI
Version
NET0992
Vuln IDs
  • V-17822
Rule IDs
  • SV-19076r4_rule
The OOBM access switch will connect to the management interface of the managed network device. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network device will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network.System AdministratorInformation Assurance Officer
Checks: C-19239r5_chk

Step 1: Verify the managed interface has an inbound and outbound ACL or filter. Step 2: Verify the ingress ACL blocks all transit traffic--that is, any traffic not destined to the router itself. In addition, traffic accessing the managed elements should be originated at the NOC. Step 3: Verify the egress ACL blocks any traffic not originated by the managed element. If management interface does not have an ingress and egress filter configured and applied, this is a finding.

Fix: F-17737r2_fix

If the management interface is a routed interface, it must be configured with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device.

b
The communications server is not configured to use PPP encapsulation and PPP authentication EAP for the async or AUX port used for dial in.
Medium - V-17840 - SV-19115r2_rule
RMF Control
Severity
Medium
CCI
Version
NET1615
Vuln IDs
  • V-17840
Rule IDs
  • SV-19115r2_rule
A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s console port. In the event the OOBM network is not able to provide connectivity due to an outage, the communications server can provide a dial-up PPP connection to access a network element. The auxiliary port, consol port, as well as any slow-speed async serial port with an analog modem connected to the managed device also provides the capability for direct dial-up administrative access for infrastructures that do not have a communications server for management access.
Checks: C-19324r2_chk

Step 1: Issue the show line command to see the AUX port tty numbering for the communications server. The numbering varies based on the router model and modules installed. Step 2: Review the communications server configuration and verify that EAP is used for PPP authentication. Assuming that line 4 is bound to the AUX port, the configuration would look similar to the example shown below: interface async 4 encapsulation ppp ppp authentication eap

Fix: F-17767r2_fix

Configure the communications server to use PPP encapsulation and PPP authentication EAP for the async or AUX port used for dial in.

a
The communications server is not configured to require AAA authentication for PPP connections using a RADIUS or TACACS+ authentication server in conjunction with 2-factor authentication.
Low - V-17841 - SV-19116r1_rule
RMF Control
Severity
Low
CCI
Version
NET1616
Vuln IDs
  • V-17841
Rule IDs
  • SV-19116r1_rule
A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s console port. In the event the OOBM network is not able to provide connectivity due to an outage, the communications server can provide a dial-up PPP connection to access a network element. The auxiliary port, consol port, as well as any slow-speed async serial port with an analog modem connected to the managed device also provides the capability for direct dial-up administrative access for infrastructures that do not have a communications server for management access.Information Assurance OfficerEBRP-1
Checks: C-19325r1_chk

Review the communications server configuration and verify that PPP connections require AAA authentication using a RADIUS or TACACS+ authentication server. aaa new-model aaa authentication ppp list-name tacacs+ local .. tacacs-server host 200.200.2.2 tacacs-server host 300.300.3.3 Upon verifying that an AAA server is used for authenticating dial-up connections to the communications server, review the AAA server to ensure two-factor is used.

Fix: F-17768r1_fix

Configure the communications server to use an AAA server to authenticate all administrators authorized for dial-up access using 2-factor authentication.

a
The communications server is not configured accept a callback request or in a secured mode so that it will not callback an unauthorized user.
Low - V-17842 - SV-19117r1_rule
RMF Control
Severity
Low
CCI
Version
NET1617
Vuln IDs
  • V-17842
Rule IDs
  • SV-19117r1_rule
A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s console port. In the event the OOBM network is not able to provide connectivity due to an outage, the communications server can provide a dial-up PPP connection to access a network element. The auxiliary port, consol port, as well as any slow-speed async serial port with an analog modem connected to the managed device also provides the capability for direct dial-up administrative access for infrastructures that do not have a communications server for management access.Information Assurance OfficerEBRP-1
Checks: C-19326r1_chk

Review the configuration of the communications server. The following example configuration would enable a secured call back on a Cisco network access server: interface s0/1 physical-layer async ip address 192.168.8.1 255.255.255.252 encapsulation ppp async mode dedicated ppp authentication chap ppp callback accept dialer callback-secure dialer map ip 192.168.8.2 name Dean class dial-back-admin 1112223333 dialer map ip 192.168.8.3 name Dana class dial-back-admin 1113334444 ! map-class dialer dial-back-admin dialer callback-server username dialer hold-queue timeout 60 The call-back numbers used for each authorized user must be defined within the communications server local database or the AAA server. In the example above, the username identifies the return call by looking up the authenticated host name in a dialer map command. Do not allow the client to supply the callback number such as, pre-configuring a null dial string for an authorized dial-up user in the access server database or the AAA. An alternative to the communication server and AAA server implementation is an integrated solution that includes the following: 1. a secured modem using FIPS 140-2 compliant encryption for the connection 2. an integrated RSA Secure ID server for 2-factor authentication 3. OOB connectivity to the managed device via console port access granted after the administrator has been authenticated

Fix: F-17774r1_fix

The communications server must be configured to accept a callback request. In addition, it must be configured in a secured mode so that it will not callback an unauthorized user.

b
The AAA server is not compliant with respective OS STIG.
Medium - V-17843 - SV-19118r1_rule
RMF Control
Severity
Medium
CCI
Version
NET0436
Vuln IDs
  • V-17843
Rule IDs
  • SV-19118r1_rule
Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network components. An authentication server is very scalable as it supports many user accounts and authentication sessions with the network components. It is critical that the AAA server’s operating system is secured and other methods are used to ensure that the server is not compromised.Information Assurance Officer
Checks: C-19334r1_chk

Interview the IAO and administrator to determine if the server is compliant with respective OS STIG.

Fix: F-17778r1_fix

Configure the platforms hosting the AAA server in accordance with the appropriate OS STIG.

a
The AAA server is not configured with a unique key to be used for communication (i.e. RADIUS, TACACS+) with any client requesting authentication services.
Low - V-17844 - SV-19119r1_rule
RMF Control
Severity
Low
CCI
Version
NET0437
Vuln IDs
  • V-17844
Rule IDs
  • SV-19119r1_rule
Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network components. An authentication server is very scalable as it supports many user accounts and authentication sessions with the network components. It is critical that the AAA server’s operating system is secured and other methods are used to ensure that the server is not compromised.Information Assurance OfficerECSC-1
Checks: C-19335r1_chk

Interview the IAO and administrator to determine if unique keys have been configured.

Fix: F-17781r1_fix

Configure each AAA server with a unique key to be used for communication (i.e. RADIUS, TACACS+) with any client requesting authentication services.

b
An HIDS has not been implemented on the AAA server
Medium - V-17845 - SV-19120r1_rule
RMF Control
Severity
Medium
CCI
Version
NET0438
Vuln IDs
  • V-17845
Rule IDs
  • SV-19120r1_rule
Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network components. An authentication server is very scalable as it supports many user accounts and authentication sessions with the network components. It is critical that the AAA server’s operating system is secured and other methods are used to ensure that the server is not compromised.Information Assurance Officer
Checks: C-19336r1_chk

Interview the IAO and AAA administrator to determine if the server is compliant. Have the administrator provide a demonstration of the HIDS capability to ensure that it is configured and in operation.

Fix: F-17782r1_fix

Implement an HIDS on the AAA server.

a
The NTP server is not compliant with the OS STIG
Low - V-17848 - SV-19123r1_rule
RMF Control
Severity
Low
CCI
Version
NET0815
Vuln IDs
  • V-17848
Rule IDs
  • SV-19123r1_rule
NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. To provide security through separation and isolation, the NTP server should only be connected to the management network. This enables the NTP server to provide time to the managed devices using a secured as well as a preferred path. If the NTP server is not an appliance, it is critical that the system is secured by maintaining compliance with the appropriate OS STIG as well as implementing an HIDS. Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-19349r1_chk

Interview the IAO and administrator to determine if the server is compliant with respective OS STIG.

Fix: F-17785r1_fix

If the NTP server is not an appliance, configure the platform hosting the NTP server in accordance with the appropriate OS STIG.

a
An HIDS has not been implemented on the NTP server.
Low - V-17849 - SV-19124r1_rule
RMF Control
Severity
Low
CCI
Version
NET0816
Vuln IDs
  • V-17849
Rule IDs
  • SV-19124r1_rule
NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. To provide security through separation and isolation, the NTP server should only be connected to the management network. This enables the NTP server to provide time to the managed devices using a secured as well as a preferred path. If the NTP server is not an appliance, it is critical that the system is secured by maintaining compliance with the appropriate OS STIG as well as implementing an HIDS. Information Assurance Officer
Checks:

Fix: F-17786r1_fix

Implement an HIDS on the NTP server

a
Two independent sources of time reference are not being utilized.
Low - V-17850 - SV-19125r1_rule
RMF Control
Severity
Low
CCI
Version
NET0817
Vuln IDs
  • V-17850
Rule IDs
  • SV-19125r1_rule
NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. Hence, it is imperative that at least two independent sources of time reference are used.Information Assurance OfficerECSC-1
Checks: C-19351r1_chk

Review both NTP server configurations to determine that they are referencing two different reference clocks and that the NTP servers are peering with each other. An alternative configuration for management networks that have a gateway would be to implement two stratum-2 servers peering with each other and each referencing a different trusted external stratum 1 server. This is a less expensive solution that still provides redundancy, but not quite the same accuracy.

Fix: F-17787r1_fix

Use at least two independent sources of time reference. The best practice is to deploy two stratum 1 servers, each connected to a different reference clock (GPS, NIST WWVB) and both peering with each other for redundancy.

a
The NTP server is not configured with a symmetric key that is unique from any key configured on any other NTP server.
Low - V-17852 - SV-19127r1_rule
RMF Control
Severity
Low
CCI
Version
NET0819
Vuln IDs
  • V-17852
Rule IDs
  • SV-19127r1_rule
NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. Information Assurance Officer
Checks: C-19353r1_chk

Interview the IAO and administrator to determine if unique keys have been configured.

Fix: F-17789r1_fix

If a hashing algorithm is being used, all servers must be configured with a symmetric key that is unique from any key configured on any other NTP server.

b
The SNMP manager is not compliant with the OS STIG
Medium - V-17854 - SV-19129r1_rule
RMF Control
Severity
Medium
CCI
Version
NET1731
Vuln IDs
  • V-17854
Rule IDs
  • SV-19129r1_rule
The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the device being managed. The manager is the collector of alarm information via SNMP traps as well as statistical and historical management information retrieved by polling the agents within the managed network. This information is vital for real time monitoring and alarm management as well as for strategic planning and performance management. IA measures must be implemented to mitigate the risk of the SNMP manager being compromised.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-19355r1_chk

Interview the IAO and administrator to determine if the SNMP manager is compliant with respective OS STIG.

Fix: F-17791r1_fix

Configure the SNMP manager to be compliant with the appropriate OS STIG

a
An HIDS has not been implemented on the SNMP manager
Low - V-17855 - SV-19130r1_rule
RMF Control
Severity
Low
CCI
Version
NET1732
Vuln IDs
  • V-17855
Rule IDs
  • SV-19130r1_rule
The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the device being managed. The manager is the collector of alarm information via SNMP traps as well as statistical and historical management information retrieved by polling the agents within the managed network. This information is vital for real time monitoring and alarm management as well as for strategic planning and performance management. In addition to the SNMP safeguards outlined in section 2, IA measures must be implemented to mitigate the risk of the SNMP manager being compromised.Information Assurance OfficerECID-1
Checks: C-19356r1_chk

Interview the IAO and the administrator to determine if the SNMP manager is compliant. Have the administrator provide a demonstration of the HIDS capability to ensure that it is configured and in operation

Fix: F-17792r1_fix

Implement an HIDS to provide access control for the SNMP data as well as provide the necessary protection against unauthorized modifications and access.

b
The SNMP manager is not connected to only the management network.
Medium - V-17856 - SV-19131r1_rule
RMF Control
Severity
Medium
CCI
Version
NET1733
Vuln IDs
  • V-17856
Rule IDs
  • SV-19131r1_rule
The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the device being managed. The manager is the collector of alarm information via SNMP traps as well as statistical and historical management information retrieved by polling the agents within the managed network. This information is vital for real time monitoring and alarm management as well as for strategic planning and performance management. To provide security through separation and isolation, the SNMP manager should only be connected to the management network. This enables the SNMP manager to provide management services to the managed devices using a secured as well as a preferred path.Information Assurance OfficerECSC-1
Checks: C-19358r1_chk

Review the network topology to determine what network the network manager is connected to. Verify that it is not dual-homed by physically inspecting the device’s LAN connection.

Fix: F-17793r1_fix

Connect the SNMP manager only to the management network.

a
SNMP messages are stored for a minimum of 30 days and then archived.
Low - V-17857 - SV-19132r1_rule
RMF Control
Severity
Low
CCI
Version
NET1734
Vuln IDs
  • V-17857
Rule IDs
  • SV-19132r1_rule
The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the device being managed. The manager is the collector of alarm information via SNMP traps as well as statistical and historical management information retrieved by polling the agents within the managed network. This information is vital for real time monitoring and alarm management as well as for strategic planning and performance management.System AdministratorInformation Assurance Officer
Checks: C-19359r1_chk

Review network management station configuration to determine if SNMP messages are stored for a minimum of 30 days and then archived. Interview the network administrator to verify if they are stored offline for a minimum of one year.

Fix: F-17795r1_fix

Configure the SNMP manager to store SNMP messages for a minimum of 30 days and then stored offline for one year.

b
The production VLAN assigned from the AAA server contains IP segments not intended for untrusted resources.
Medium - V-18555 - SV-20099r1_rule
RMF Control
Severity
Medium
CCI
Version
NET-NAC-001
Vuln IDs
  • V-18555
Rule IDs
  • SV-20099r1_rule
When policy assessment and remediation have been implemented and the advanced AAA server dynamic VLAN is mis-configured, logical separation of the production VLAN may not be assured. Non-trusted resources are resources that are not authenticated in a NAC solution implementing only the authentication component of NAC. Non-trusted resources could become resources that have been authenticated but have not had a successful policy assessment when the automated policy assessment component has been implemented.Information Assurance Officer
Checks: C-21582r1_chk

Review the AAA server configuration. Have the SA display the policy groups. Have the SA display the vlan configuration. VLANs will be defined under Tunnel-Pvt-Group-ID with a tunnel type of VLAN. The dynamic VLAN definitions will have a IP pool assignment. Ensure the Production VLAN does not share the same AAA IP pool . Then verify the subnets used in other pools are not the same as the production.

Fix: F-19171r1_fix

Build different IP pools. Use different IP subnets for each pool.

b
The IAO/NSO will ensure the network access control policy contains all non-authenticated network access requests in an Unauthorized VLAN with limited access.
Medium - V-18558 - SV-20102r1_rule
RMF Control
Severity
Medium
CCI
Version
NET-NAC-004
Vuln IDs
  • V-18558
Rule IDs
  • SV-20102r1_rule
Devices having an IP address that do not pass authentication can be used to attack compliant devices if they share vlans. When devices proceed into the NAC AAA (radius) functions they must originate in the Unauthorized VLAN by default. If the device fails authentication it should be denied IP capability and movement to other dynamic VLANs used in the NAC process flow or moved to a VLAN that has limited capability such as a Guest VLAN with internet access, but without access to production assets.Information Assurance Officer
Checks: C-21584r1_chk

Review the AAA server configuration. If the SA has created a dynamic Unauthorized VLAN, definitions should not have a IP pool assignment. Ensure the Unauthorized VLAN is configured without IP or a Guest VLAN is defined with limited access.

Fix: F-19173r1_fix

Implement a NAC solution where the device remains without IP assignment if authentication fails or create a dynamic Unauthorized VLAN / Guest VLAN with limited access in AAA server. If a Guest VLAN is built, it should not have access to production data.

a
Network devices must use at least two NTP servers to synchronize time.
Low - V-23747 - SV-28651r4_rule
RMF Control
Severity
Low
CCI
Version
NET0812
Vuln IDs
  • V-23747
Rule IDs
  • SV-28651r4_rule
Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. If logs cannot be successfully compared between each of the routers, switches, and firewalls, it will be very difficult to determine the exact events that resulted in a network breach incident. NTP provides an efficient and scalable method for network devices to synchronize to an accurate time source.System AdministratorInformation Assurance Officer
Checks: C-3581r5_chk

Review the configuration and verify two NTP servers have been defined. If the device is not configured to use two separate NTP servers, this is a finding.

Fix: F-3044r2_fix

Configure the device to use two separate NTP servers.

b
The IAO will ensure the syslog server is only connected to the management network.
Medium - V-23749 - SV-28655r1_rule
RMF Control
Severity
Medium
CCI
Version
NET1022
Vuln IDs
  • V-23749
Rule IDs
  • SV-28655r1_rule
A syslog server provides the network administrator the ability to configure all of the communication devices on a network to send log messages to a centralized host for review, correlation, reporting, and storage. This implementation provides for easier management of network events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of messages facilitates troubleshooting functions when problems are encountered and can assist in performing root cause analysis. A malicious user or intruder could attempt to cover his tracks by polluting the syslog data or even force the server to crash. Disabling the syslog server would eliminate visibility of the network infrastructure that security analysts depend on. The first line of defense is to ensure that the syslog server will only accept syslog packets from known managed devices and administrative access from trusted management workstations. Because syslog messages are sent from managed devices to the syslog server in clear text an attacker on the network can easily sniff the messages. Furthermore, the syslog protocol uses UDP; thereby, making it relatively easy to spoof a managed device. Placing the syslog server on a separate subnet such as the management network isolated from general access and transient traffic will assist in reducing these risks.Information Assurance Officer
Checks: C-12944r1_chk

Physically inspect the syslog server and its LAN connection as well as review the network topology diagram to verify compliance.

Fix: F-14191r1_fix

Ensure the syslog server is only connected to the management network

b
The IAO will ensure the syslog servers are configured IAW the appropriate OS STIG.
Medium - V-23750 - SV-28656r1_rule
RMF Control
Severity
Medium
CCI
Version
NET1023
Vuln IDs
  • V-23750
Rule IDs
  • SV-28656r1_rule
A syslog server provides the network administrator the ability to configure all of the communication devices on a network to send log messages to a centralized host for review, correlation, reporting, and storage. This implementation provides for easier management of network events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of messages facilitates troubleshooting functions when problems are encountered and can assist in performing root cause analysis. A malicious user or intruder could attempt to cover his tracks by polluting the syslog data or even force the server to crash. Disabling the syslog server would eliminate visibility of the network infrastructure that security analysts depend on. The first line of defense is to ensure that the syslog server will only accept syslog packets from known managed devices and administrative access from trusted management workstations. Because syslog messages are sent from managed devices to the syslog server in clear text an attacker on the network can easily sniff the messages. Furthermore, the syslog protocol uses UDP; thereby, making it relatively easy to spoof a managed device. Placing the syslog server on a separate subnet such as the management network isolated from general access and transient traffic will assist in reducing these risks.System AdministratorInformation Assurance Officer
Checks: C-12945r1_chk

Interview the IAO and syslog administrator to determine if the server is compliant with respective OS STIG.

Fix: F-14192r1_fix

Ensure that the syslog server is compliant with the appropriate OS STIG

b
The NTP server is connected to a network other than the management network.
Medium - V-25883 - SV-32243r1_rule
RMF Control
Severity
Medium
CCI
Version
NET0814
Vuln IDs
  • V-25883
Rule IDs
  • SV-32243r1_rule
NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. To provide security through separation and isolation, the NTP server should only be connected to the management network. This enables the NTP server to provide time to the managed devices using a secured as well as a preferred path.System AdministratorInformation Assurance Officer
Checks: C-32705r1_chk

Review the layer 2 and layer 3 network topology to determine what network the NTP server is connected to. Verify that the server has been configured or assigned an IP address that belongs to the management network.

Fix: F-28796r1_fix

Connect the NTP server only to the management network.

a
The IAO will ensure all AAA authentication services are configured to use two-factor authentication .
Low - V-25894 - SV-32516r1_rule
RMF Control
Severity
Low
CCI
Version
NET0431
Vuln IDs
  • V-25894
Rule IDs
  • SV-32516r1_rule
AAA network security services provide the primary framework through which a network administrator can set up access control on network points of entry or network access servers, which is usually the function of a router or access server. Authentication identifies a user; authorization determines what that user can do; and accounting monitors the network usage. Without AAA, unauthorized users may gain access and possibly control of the routers. If the router network is compromised, large portions of the network could be incapacitated with only a few commands. Information Assurance Officer
Checks: C-32825r1_chk

Have the administrator discuss their implementation. A typical AAA process includes the device being authenticated to direct authentication request directly to a 2-facor server (i.e. ACE) or to an AAA server via RADIUS or TACACS+ which redirects the 'authentication' request to the 2-facor server. Request the administrator to demonstrate the implementation.

Fix: F-28936r1_fix

The IAO will implement a 2-factor authentication solution for granting administrative access to all network elements.

a
The IAO will ensure the authentication server is configured to use tiered authorization groups for various levels of access.
Low - V-25895 - SV-32517r1_rule
RMF Control
Severity
Low
CCI
Version
NET0432
Vuln IDs
  • V-25895
Rule IDs
  • SV-32517r1_rule
The foundation of a good security scheme in the network is the protection of the user interfaces of the networking devices from unauthorized access. Protecting access to the user interfaces on your network devices prevents unauthorized users from making configuration changes that can disrupt the stability of your network or compromise your network security.Information Assurance Officer
Checks: C-32826r1_chk

Review the AAA server implemented and determine if user profiles are members of a group. Determine if the groups have different privileges and the users are in the appropriate groups. In the following TACACS example the user (rtr-test) is a member of the group “rtr-basic”. <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_test User Profile Information user = rtr_test{ profile_id = 66 profile_cycle = 1 member = rtr_basic password = des "********" } Below is an example of CiscoSecure TACACS+ server defining the privilege level. user = junior-engineer1 { password = clear "xxxxx" service = shell { set priv-lvl = 7 } }

Fix: F-28937r1_fix

The administrator will configure the authentication server with standard accounts and assign them to privilege levels that meet their job description

b
The IAO will ensure the authentication server is connected to the management network.
Medium - V-25896 - SV-32518r1_rule
RMF Control
Severity
Medium
CCI
Version
NET0435
Vuln IDs
  • V-25896
Rule IDs
  • SV-32518r1_rule
Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network components. In order to control access to the servers as well as monitor traffic to them, the authentication servers should only be connected to the management network.Information Assurance Officer
Checks: C-32827r1_chk

Review the network topology to determine what network they are connected to. Verify that they are not dual-homed by physically inspecting the device’s LAN connection

Fix: F-28938r1_fix

Connect the authentication servers to only the management network.

b
A service or feature that calls home to the vendor must be disabled.
Medium - V-28784 - SV-36774r5_rule
RMF Control
Severity
Medium
CCI
Version
NET0405
Vuln IDs
  • V-28784
Rule IDs
  • SV-36774r5_rule
Call home services or features will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. The risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack.Information Assurance OfficerNetwork Security Officer
Checks: C-35853r4_chk

Review the device configuration to determine if the call home service or feature is disabled on the device. If the call home service is enabled on the device, this is a finding. Note: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.

Fix: F-31103r2_fix

Configure the network device to disable the call home service or feature. Note: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.